Merge "Add horizon WebSSO support for OpenID Connect"
This commit is contained in:
commit
829cde2f35
environments
puppet/services
sample-env-generator
@ -32,7 +32,7 @@ parameter_defaults:
|
||||
|
||||
# The url that points to your OpenID Connect provider metadata
|
||||
# Type: string
|
||||
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata
|
||||
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
|
||||
|
||||
# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
|
||||
# Type: string
|
||||
@ -44,7 +44,19 @@ parameter_defaults:
|
||||
|
||||
# A list of dashboard URLs trusted for single sign-on.
|
||||
# Type: comma_delimited_list
|
||||
KeystoneTrustedDashboards: https://dashboard.example.test
|
||||
KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
|
||||
|
||||
# Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
|
||||
# Type: json
|
||||
WebSSOChoices: [['OIDC', 'OpenID Connect']]
|
||||
|
||||
# Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
|
||||
# Type: json
|
||||
WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
|
||||
|
||||
# The initial authentication choice to select by default
|
||||
# Type: string
|
||||
WebSSOInitialChoice: OIDC
|
||||
|
||||
# ******************************************************
|
||||
# Static parameters - these are values that must be
|
||||
@ -58,6 +70,10 @@ parameter_defaults:
|
||||
# Type: boolean
|
||||
KeystoneOpenIdcEnable: True
|
||||
|
||||
# Enable support for Web Single Sign-On
|
||||
# Type: boolean
|
||||
WebSSOEnable: True
|
||||
|
||||
# *********************
|
||||
# End static parameters
|
||||
# *********************
|
||||
|
@ -89,10 +89,33 @@ parameters:
|
||||
default: ''
|
||||
description: Horizon has a global overrides mechanism available to perform customizations
|
||||
type: string
|
||||
WebSSOEnable:
|
||||
default: false
|
||||
type: boolean
|
||||
description: Enable support for Web Single Sign-On
|
||||
WebSSOInitialChoice:
|
||||
default: 'OIDC'
|
||||
type: string
|
||||
description: The initial authentication choice to select by default
|
||||
WebSSOChoices:
|
||||
default:
|
||||
- ['OIDC', 'OpenID Connect']
|
||||
type: json
|
||||
description: Specifies the list of SSO authentication choices to present.
|
||||
Each item is a list of an SSO choice identifier and a display
|
||||
message.
|
||||
WebSSOIDPMapping:
|
||||
default:
|
||||
'OIDC': ['myidp', 'openid']
|
||||
type: json
|
||||
description: Specifies a mapping from SSO authentication choice to identity
|
||||
provider and protocol. The identity provider and protocol names
|
||||
must match the resources defined in keystone.
|
||||
|
||||
conditions:
|
||||
|
||||
debug_unset: {equals : [{get_param: Debug}, '']}
|
||||
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -142,6 +165,19 @@ outputs:
|
||||
horizon::listen_ssl: {get_param: EnableInternalTLS}
|
||||
horizon::horizon_ca: {get_param: InternalTLSCAFile}
|
||||
horizon::customization_module: {get_param: HorizonCustomizationModule}
|
||||
-
|
||||
if:
|
||||
- websso_enabled
|
||||
-
|
||||
horizon::websso_enabled:
|
||||
get_param: WebSSOEnable
|
||||
horizon::websso_initial_choice:
|
||||
get_param: WebSSOInitialChoice
|
||||
horizon::websso_choices:
|
||||
get_param: WebSSOChoices
|
||||
horizon::websso_idp_mapping:
|
||||
get_param: WebSSOIDPMapping
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
- debug_unset
|
||||
|
@ -16,18 +16,26 @@ environments:
|
||||
- KeystoneOpenIdcCryptoPassphrase
|
||||
- KeystoneOpenIdcResponseType
|
||||
- KeystoneOpenIdcRemoteIdAttribute
|
||||
puppet/services/horizon.yaml:
|
||||
parameters:
|
||||
- WebSSOEnable
|
||||
- WebSSOInitialChoice
|
||||
- WebSSOChoices
|
||||
- WebSSOIDPMapping
|
||||
sample_values:
|
||||
KeystoneFederationEnable: True
|
||||
KeystoneOpenIdcEnable: True
|
||||
WebSSOEnable: True
|
||||
KeystoneAuthMethods: 'password,token,openid'
|
||||
KeystoneTrustedDashboards: 'https://dashboard.example.test'
|
||||
KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
|
||||
KeystoneOpenIdcIdpName: 'myidp'
|
||||
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata'
|
||||
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
|
||||
KeystoneOpenIdcClientId: 'myclientid'
|
||||
KeystoneOpenIdcClientSecret: 'myclientsecret'
|
||||
static:
|
||||
- KeystoneFederationEnable
|
||||
- KeystoneOpenIdcEnable
|
||||
- WebSSOEnable
|
||||
description: |
|
||||
This is an example template on how to configure keystone federation for
|
||||
the OpenID Connect protocol. You must modify the parameters to use
|
||||
|
Loading…
x
Reference in New Issue
Block a user